DiscordGithubDocsLogin

Netflix Fined €4.75 Million Over GDPR Violations

Published on January 13, 2025 by Donata Stroink-Skillrud in MainWP Blog under Privacy, WordPress Business
Heads up: This page may include affiliate links. Read the full disclaimer.
Scale of justice symbolizing GDPR compliance issues with Netflix logo and European Union flag in a tech-themed background.

The Dutch Data Protection Authority (DPA) has issued a fine of €4.75 million penalizing Netflix due to alleged violations of the General Data Protection Act (GDPR). An investigation started in 2019 by the DPA found that Netflix failed to provide individuals with sufficient information in its Privacy Policy and in its responses to data subject access requests. Since GDPR and the DPA’s decision provides important details regarding the information that needs to be provided to individuals, this case is a helpful guidepost for companies to check their Privacy Policies to ensure that the correct information is provided. 

Who does GDPR apply to? 

Since Netflix is an American company, some may be surprised to learn that the company was fined for violating Europe’s privacy law, GDPR. However, it is important to note that GDPR can and does apply to companies located outside of the European Union. In fact, GDPR will apply if any of the following factors are met, regardless of the company’s location: 

  1. The company has an establishment in the European Union; 
  2. The company offers goods or services in the European Union; 
  3. The company monitors the behavior of residents of the European Union (e.g. through features such as cookies, analytics or pixels). 

It is also important to note that GDPR can apply regardless of a company’s size, revenue amount, amount of data collected, or even nonprofit status. In fact, many small businesses and even individuals have been fined for GDPR violations. 

What are the GDPR Privacy Policy requirements? 

GDPR requires all businesses that need to comply with this law to provide individuals with an accessible and comprehensive Privacy Policy that includes the following disclosures:

  1. Your name and contact information; 
  2. What personal data you are collecting; 
  3. The purposes for which you will be using that data; 
  4. Whether you will be using personal data for direct marketing purposes; 
  5. Whether you share personal data. If you do share personal data, you will need to list the categories of third parties with whom you share the personal data; 
  6. The legal bases under which personal data is processed; 
  7. The privacy rights provided to individuals; 
  8. How individuals can exercise those privacy rights; 
  9. The fact that individuals can file a complaint regarding the processing of personal data; 
  10. How long you store personal data; 
  11. Information regarding automated decision making (if you engage in automated decision making); 
  12. Information regarding profiling (if you engage in profiling); 
  13. Where you will process personal data, including whether personal data will be transferred outside of the EU; 
  14. The contact details of your Data Protection Office (if you have one); and 
  15. Whether your website uses cookies and other similar tracking technologies. 

The DPA found that Netflix’s Privacy Policy failed to comply with GDPR because it did not provide sufficient information regarding the following: 

  1. The purposes and legal bases for processing personal data; 
  2. The categories of third parties with whom personal data will be shared; 
  3. The retention period of personal data (i.e. how long Netflix will store personal data); and 
  4. Safeguards that will be applied in the event that personal data is transferred outside of the European Union. 

In addition, the DPA found that Netflix did not provide sufficient information to individuals who requested to access their personal data. 

Netflix’s response 

In response to the DPA’s investigation, Netflix stated that the DPA is using a more stringent interpretation of the information that business must provide to individuals and that Netflix believed that it had more latitude on how they communicate this information to individuals. Netflix also argued that it tailored its Privacy Policy to be readable on a TV interface, providing additional information in a layered manner. 

The DPA has disagreed with Netflix’s response and determined that a fine should be applied since Netflix has failed to provide the required information to individuals using their platform. It is important that business owners review their own Privacy Policies to ensure that all of the requisite information is provided in these policies is correct, comprehensive, and up to date.

Donata Stroink-Skillrud

Donata Stroink-Skillrud

Donata Stroink-Skillrud is an attorney licensed in Illinois and a Certified Information Privacy Professional. She is also the legal engineer behind Termageddon, a SaaS that has generated thousands of Privacy Policies and successfully kept them up to date with changing legislation. Donata is also the Chair of the American Bar Association's ePrivacy Committee and Vice-Chair of the Chicago Bar Association's Cybersecurity and Privacy Committee. Donata is also the past Chair of the Chicago Chapter of the International Association of Privacy Professionals along with being Privacy Liaison for MainWP.

Share

Manage Unlimited WordPress Sites from One Dashboard!

  • Privacy-first, Open Source, Self-hosted
  • Easy Client Management
  • 15+ & 30 + Premium Add-ons
  • Bulk Plugins & Themes Management
Get Pro Now

Categories

Important Updates

Interviews

Privacy

Roundup

WordPress Business

Tips & Tricks

MainWP News

How To's

Recent Posts

Search MainWP.com

[searchwp_form id="1"]